This repo uses Dependabot for dependency PRs and semantic-release on the default branch (master) to publish to npm and maintain CHANGELOG.md.
-
Branch
Releases are configured formaster, which matches the current GitHub default. If you rename the default branch tomain, updatebranchesin both.github/workflows/release.ymland.releaserc.jsontomain. -
npm Trusted publishing (recommended)
Publishes from CI use Trusted publishing (OpenID Connect) so you do not store a long-livedNPM_TOKENin GitHub. Requirements are described in the npm docs (Node ≥ 22.14.0 and npm CLI ≥ 11.5.1); this repo’s workflow uses Node 22.14 on GitHub-hostedubuntu-latest.On npmjs.com (package → Settings → Trusted publishing):
- Publisher: GitHub Actions
- Organization or user: match the GitHub owner (e.g.
cdeutschforgithub.com/cdeutsch/classy-forms) - Repository:
classy-forms - Workflow filename:
release.yml(filename only, including.yml, must match.github/workflows/release.ymlexactly) - Environment name: leave empty unless you intentionally use a GitHub Environment named in npm; if you set one on npm, configure the same on the workflow job.
On GitHub: the workflow already declares
id-token: write(required for OIDC). NoNPM_TOKENsecret is used.After a successful release via this workflow, you can remove any old automation tokens and optionally tighten package Publishing access so publishes go through Trusted publishing only.
Fallback (unsupported CI only): If you ever publish from a context where Trusted publishing is unavailable, use a short-lived granular access token and set
NPM_TOKENfor that job only — not the default for this repo. -
GITHUB_TOKEN
Workflows use the built-inGITHUB_TOKEN. No secret is required for it. Ensure Settings → Actions → General allows workflow Read and write permissions (needed to push the release commit and create releases).
The CI workflow runs npm test and npm run build on pull requests and on pushes to master, so regressions are caught before or at merge time.
- Push commits to
masterthat follow Conventional Commits (e.g.fix: ...,feat: ...). - The Release workflow runs tests and
npm run build, then semantic-release (the build step stays here becausedist/is not committed and must exist fornpm publish):- Decides the next semver from commits since the last release.
- Updates
package.json,CHANGELOG.md, and publishes to npm. - Creates a Git tag and GitHub Release.
- Release commits include
[skip ci]in the message so the workflow does not run again on that push.
If there is no user-facing change that matches your configured rules (for example, only chore:/docs: with the default Angular preset), no new version is published and the workflow still exits successfully.
| Commit type | semver bump |
|---|---|
fix: |
patch |
feat: |
minor |
BREAKING CHANGE: in footer or feat!: / fix!: / etc. |
major |
Dependabot opens PRs monthly for npm (root and demo/) and GitHub Actions. PR titles use fix(deps):, which matches the default semantic-release analyzer for a patch bump only when that title survives as the final commit subject on master (for example via squash or rebase merge). GitHub’s default merge commit message (Merge pull request #…) does not follow Conventional Commits, so those merges usually do not produce a patch release from the PR title alone.
Use Node ^22.14.0 or ≥24.10.0 locally (same range as semantic-release 25 and Trusted publishing). Older 22.x patch levels may show EBADENGINE warnings from npm even though install succeeds.
npm ci
git fetch origin
npx semantic-release --dry-runNo publish or git writes occur; useful to see the next version and notes. The configured release branch (master) must exist on origin or the dry run exits with ERELEASEBRANCHES.
Do not run npm publish by hand for normal releases. Let the workflow publish so versions, tags, and CHANGELOG.md stay aligned. For emergencies only, document the manual steps in an issue and coordinate with npm.